When Active Directory And LDAP Arent Enough

Cloud and mobile pose problems to most enterprises centerpiece identity and access management technology

Scalability, tight coupling with Microsoft infrastructure, and ease of management in the on-premise world all contributed to catapulting Active Directory and the associated LDAP protocol into the centerpiece of todays typical enterprise IAM strategy. However, with new mobile platforms diversifying the operating system ecosystem, SaaS applications proliferating by the day, and hybrid cloud approaches fast becoming de riguer, Active Directory and LDAP are starting to show their limitations.
According to Todd McKinnon of IAM start-up Okta, the sustained and pervasive success Active Directory has achieved so far can be largely attributed to Microsofts tying everything together in such a neat bow.
Why do people use AD? Because its your network authentication, because it was the Exchange database for users. If you wanted to do permissions on who can share files on the fileserver, it was the database for that. If it was for printers -- it was the database for printers, he says. Thats why people use it. Its an infrastructure thing. Its behind the applications.
[What IAM gaffes are you making? See
7 Costly IAM Mistakes
.]
Even in the cloudless world dominated by the data center, AD had its limits.
One of the misconceptions is that everything in the old world was integrated from an identity perspective. It really wasnt, says McKinnon, You have Active Directory that [did] a really good job with Windows clients, Windows servers, Exchange, file and print. Then you have LDAP, and a lot of people use that for big scale e-commerce sites and databases around that. But this concept that in a large company a lot of the identities were integrated is not true.
Just look at the number of enterprise project disasters around bringing internal application under a single AD source for proof, says Nishant Kaushik, chief architect at Identropy.
IAM is littered with failed attempts at rationalizing all internal application development against [a] single AD source, Kaushik says.
Many organizations looked to kill two birds with one stone by repurposing user identity stores theyve managed and curated for their internal environment and applying them to in-house custom applications, Kaushik says. However, most of those deployments ended up going bad.
The reason is because the model that was put into Active Directory was highly optimized and tuned for ADs primary purposes, which was managing their network infrastructure and Windows environment, Outlook, and stuff like that, he says. The minute you decide to add in application-specific stuff into that, all of a sudden the performance and the tuning stuff that had happened starts to fall apart.
In todays changing IT environment, relying primarily on AD to do the heavy lifting of identity management is just going to get harder. According to McKinnon, there are a number of challenges standing in the way. No. 1, the alternatives to Windows fileservers is drastically changing the collaboration landscape -- just look at the traction Box and Dropbox have gained in the enterprise for evidence of that. As a corollary, challenge No. 2 is that people are moving their collaborative email infrastructure to the cloud.
When you move that to the cloud, you by definition are decoupling it from close proximity to AD, McKinnon says. Thats true whether its something like Gmail or Office 365; if you look at how Office 365 gets connected to AD, its not tightly coupled.
The loose coupling gets even looser when you consider the rapid addition of mobile devices that are outside of the Microsoft ecosystem.
Companies are doing fewer big deployments of Windows, and if youre looking at whats happening on the client-side of the network, Microsoft dominance on the client is changing dramatically, McKinnon says. Eighty percent of the reason people use AD is because they logged on their PC to the domain. And now half the devices on the Internet arent even Windows devices.
And thats just the pressure on the front end. On the back end, cloud and SaaS applications are also pulling apart the AD coupling that worked so well in the data center-centric world -- this in spite of the fact that so many SaaS and cloud vendors purport to have AD integration.
Every SaaS vendor of note thats trying to penetrate the enterprise has built-in support to integrate directly with AD. Thats a technology-oriented integration that completely leaves out the process that is needed to actually manage AD cleanly, Kaushik says, explaining that the same application-centric problems of yesteryear are just magnified in the SaaS environment.
One big problem in the new cloud and SaaS model is the hierarchical nature of LDAP, says McKinnon.
Theres root and children. What people are realizing now is that its not strict hierarchy in relationships anymore, McKinnon says. When you have more of these B2B, cross-application modern relationships, you need more of a graph -- like Facbooks API shows us. Its not like there are your friends and my friends, and my friends are a subset of yours. Its the same in business. There are my partners, and my partners have partners.
According to Phil Lieberman of Lieberman Software, in spite of ADs supreme scalablity, the problems McKinnon identifies contributes to LDAPs lack of viability as an authentication method organizations can use in the cloud.
Thats not necessarily what they might want to use, and so this brings up the question of federation, says Lieberman, pointing to rumblings of using a mechanism like a Facebook log-in to tie together access to enterprise cloud resources.
He says at the moment he has a bet going with Gartner analyst Lawrence Pingree that enterprises wont be able to make that happen.
I think the big question is authorization, he says. Facebook or one of the other identity providers can authenticate. The problem is that LDAP provides authorization, too. If you cant provide authorization, what is the point?
According to McKinnon, Microsoft isnt tone-deaf about the challenges facing AD in the cloud. Theyre why the company has turned some of its brightest minds toward developing Windows Azure Active Directory. However, there are challenges with its approach so far.
One thing is that theyre not bundling it tightly to the on-premise infrastructure, which is a challenge, he says. And, two, is that the API isnt LDAP, which is really different. The reason why is that things are more disconnected, and a tightly coupled protocol is too latent and isnt the right level of granularity for what you need in the cloud.
Ultimately, the chaos is breeding a whole new niche in Identity as a Service (IDaaS) thats being tightly contested by vendors like Okta and Identropy and others like Centrifiy and Symplified. Its an exploding market that Gartner says will make up a quarter of all new IAM sales by the end of 2014 and 40 percent by 2015, as compared with just 5 percent last year. But in the interim, McKinnon says some order even among those players needs to be struck.
Were going to be making more noise about this, but we think theres a new protocol thats needed, McKinnon says. Its a new API -- a new protocol for directory services in this new world.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
When Active Directory And LDAP Arent Enough